Voice Over IP Risks and Controls

Session 37VoIP Risks and Controls

©2004 Lucent Technologies World Wide Services2

Voice Over IP Risks and Controls

Session Number 37

George G. McBride

October 5, 2004 1:30 PM – 3:00 PM


Key Points To Cover This Afternoon

The fundamentals and security concerns of VoIP

Mitigating risks associated with VoIP Confidentiality, integrity, authentication,

availability, access, and non-repudiation Determining what to look for in an audit Measuring risk and recommending actions to

reduce vulnerability


Real Quick Introduction

What is Voice over IP?– Definition: Transmission of voice over the IP Network

Why is it important to companies?– $$$ (and sometimes “services”)

Is this brand new?– SIP and H.323 Standards have been around since

the mid 1990s Why now?


VoIP Introduction

What do you need for a VoIP network?– The IP Part: A data network– The V Part: VoIP specific equipment

H.323 and SIP are two different sets of protocols and have different infrastructure requirements– There is some commonality between the two!


VoIP Implementation

Who put the VoIP infrastructure in place?– Many times, the designers and

implementers are the traditional “voice” personnel

• May be just learning the new technology

– Nevertheless, the technology including products, protocols, and services are very new and “experts” are limited!


What Are The Threats?

Concern PSTN Controls VoIP ControlsConfidentiality Physical Encryption

Integrity Physical Encryption/Checksums

Availability Physical Access Control Logical Access Control

Authentication Recognition & Caller ID User ID and Password

Authorization Access Control & Caller ID Access Control

Design Large/Complex/Centralized Varies…Distributed

Interoperability Centralized & Very Tested Distributed & Ad-Hoc


The Legal Threat

Discussions, debates, and actions are currently underway to determine whether or not the Communications Assistance to Law Enforcement Act (CALEA) requirements apply to VoIP technologies.– Service Providers Only?– All Companies?


Emergency Services

911 Emergency Services– PSTN/POTS locations are generally

assigned by physical port and generally don’t move around!

– VoIP Phones by definition are usually “portable” and are simply based on IP addresses

• How are location services managed? Updated? Logged?

• Is it real-time?


The Biggest Threat!

Your organization is responsible for the costs related to toll fraud

When the VoIP Gateway is compromised and hacker’s use the gateway for unlimited international dialing, your company is responsible for the toll charges

I still don’t have any figures to share. Do you?


Problems With “Auditing” VoIP

We’re often asked to “audit” the VoIP infrastructure against the current policies

These policies do not address the minimum security baseline for a VoIP infrastructure

Typical VoIP audits are also part “assessment”


The Audit: Documentation Review

Should begin with a formal review of all corporate documentation regarding the VoIP infrastructure:– IP Network Infrastructure– Corporate Service Offerings– VoIP Infrastructure

• Client Devices

– Acceptable Use statements– PSTN Interface SLAs


Auditing: Risk Management

One of the most important aspects to manage!– Identification and Inventory of Assets– Understanding of threats, vulnerabilities, and

controls– Cannot be evaluated in isolation. Threats and

vulnerabilities are internal and external. This is one area where Audit and IT

Security can work together.


Auditing: The Architecture

Architecture:– Need personnel with auditing, technology, and

product know-how!– Start from the top down to understand the

details are you encounter them– There may not be a “right” architecture, but

there are many “wrong” ones


Before You Begin!

From your IT Organization’s source, obtain an inventory of the VoIP infrastructure

Obtain all documentation and specifications from the vendor to understand what you have and what it is supposed to do

Obtain configuration information Review on-line vulnerability/risk databases


Auditing Concerns

The next few slides highlight some VoIP specific concerns that we should review.– Are these part of your organization’s standards,

practices, procedures, and policies?

This is a highlight of a number of areas that should be reviewed. There are plenty more!


Basic Auditing Considerations

Physical Security:– The old “telecom” closets are often

neglected and may be insecure. Where is your VoIP equipment?

– Protect test and trial equipment as you would production equipment. It usually has production grade configuration information

– Ensure UPS equipment can handle the new loads


Business Continuity Planning & Disaster Recover

Have you incorporated the entire VoIP infrastructure into the BCP/DR efforts?

Have you tested it? Are the employees aware of it? Be aware of limited restores. Companies today tend to build significant

features into their VoIP phones that they’ve grown to need.


Logical Auditing Concerns

VLAN Usage:– Separate voice and data on logically separate

networks.• Each VLAN should have a separate DHCP Server

and management system• Promotes QoS Issues• VLAN Jumping still an issue, depending on

equipment


Logical Auditing Concerns (Con’t)

Firewalls:– Are you using the right one for your

environment?• Is it VoIP Specific? Does it support SIP or H.323?

What about Megaco?

– Does it support Application Level Gateways or Proxies?

– Pinholing?– Is it stateful?


Auditing The Firewall

Obtain the Firewall rule sets.– Can you experiment in a “lab” setting? This is great to

validate the firewall rule sets! What are the static ports?

– Port 1720 for Call Signaling– Usually H.225 traffic. – Any others for management?

What are the required dynamic ports? Even a VoIP-aware firewall will require reviewing,

tuning, and tweaking



Interfaces:– PSTN to VoIP Infrastructure:

• At the Voice Gateway: Are SIP, H.323, MGCP, and Megaco connections from the data network prohibited?

• What authentication is configured? Required?


The Firewall

A Great Cisco Whitepaper highlights key areas where voice and data traffic intersect and should have firewall protection:

– PC Based IP Phones (d) requiring access to the voice segment (v) to place calls

– IP Phones (d) and call managers (v) accessing voice-mail– Users (d) accessing the proxy server (v)– Proxy Server (v) accessing network resources (d)– IP Phones (v) to call processing manager (v) or proxy

server (v) because the interaction uses the data segment to communicate


Firewall NAT

NAT, Network Address Translation helps to efficiently utilize resources and to provide some level of security.

– Full Cone (1:1 address and port)– Restricted Cone – same as full cone, incoming packets

are rejected unless an outbound one originated the traffic (looks at IP Address Only)

– Port Restricted Cone – Like Restricted Cone but restricts the inbound packet as it must be returning to the same outbound port

– Symmetric NAT – Different mapping for each inbound – outbound pair.



Remote Management– Use SSH only for remote administration and

management.• Telnet is dead.

– For the truly paranoid, use dedicated consoles for each management server

– How are the configuration files protected? Backed-up?


QoS: Quality of Service

Is Quality of Service a “Security Issue”?– It is when the security features impact the VoIP

QoS levels.– You’ll invariably be asked about it during

your Audit

The next few slides highlight some QoS issues


QoS

Latency – time from source to destination. The ITU-T recommended upper bounds for latency is to be less than 150ms.– Queuing– Encoding– Packetization– Transmission


Jitter

Jitter – the time differences between packet arrival on the receiving end.– Jitter often affects QoS more than latency– Caused by low bandwidth– Can cause packets to be processed out of

sequence and/or dropped if they fall outside of the receiving buffer

– Firewalls are a big source of jitter introduction


Bandwidth & Packet Loss

What is the available bandwidth for VoIP traffic? If on a VLAN, this answer is easy to compute. If on a shared network, this is quite a bit different (and more variable).

Packet Loss results from excessive latency or jitter; as well as a result of voice-data riding over UDP.


What about H.235

Provides H.323 Security Features through defined profiles which provide different levels of security.

These must be required, not an optional implementation as clients may chose not to use the features.


H.235v2/3

Builds up from H.235 and offers enhanced encryption as well as:– Annex D: Shared secrets and keyed hashes– Annex E: Digital signatures on every message– Annex F: Digital signatures and shared secret

establishment Is it required?


What about Session Initiation Protocol (SIP)?

SIP Offers HTTP Digest Authentication– Based on a challenge-response system– Replaces HTTP Basic Authentication so that the

password is not sent in the clear! S/MIME can be used to enable public key

distribution as well as authentication and integrity protection

– Authentication (and Integrity) of signaling data– Confidentiality of signaling data


SIP Security With TLS

TLS: Successor of SSL protects SIP signaling (integrity, confidentiality, replay)

Only works with TCP based SIP signaling Must be configured hop-by-hop between

user agents and proxies or between proxies

Provides key management with mutual authentication and secure key distribution


SIP Security

Besides TLS, SIP also supports:– HTTP Digest– IPSec (With IKE)– IPSec (With manual key exchange)– S/MIME

Be aware of bidding down attacks


SRTP

Secure Real-time Transport Protocol– A “profile” of RTP offers confidentiality,

authentication, and replay protection– Encrypts Payloads– Independent of the key management system– Independent of the RTP stack chosen– Can use AES– Hardware Crypto Support, although it was

designed with low computational requirements.


SRTP Audit Points

Keep these things in mind:– How are the encryption keys distributed?

• Pre-Shared• Public Key• Diffie-Hellman Key Exchange using Public Key• Diffie-Hellman Key Exchange using Pre-Shared Secret

– Is it only being used for encryption or also integrity and replay-attack protection?


What I’m Seeing…

Default administration accounts Ineffective encryption (It may be AES, but

not in use at key points) Web-Server interfaces (It may be easier

for the admin and the bad-guys!) DHCP and TFTP Server Spoofing and

Insertion Attacks


What I’m Seeing

Random responses to invalidly formatted or excessive packets

Security mechanisms susceptible to “bidding-down” attacks

Firewalls that require just a bit of “tuning” to disable that service that isn’t required or the ports that can be closed


What’s in my toolbox?

In order to perform a technical based review, you’ll need some tools:– Sniffers– Injectors– Vulnerability Scanners

Some important documents from the ITU, NIST, ETSI, and most importantly, equipment vendors!


Network Sniffers

Empirix Hammer Call Analyzer

VoIP Specific Great for beginners

through advanced users

Very expensive


VoIP Sniffers Also Do Call Analysis


Network Sniffers

Ethereal Requires more work

to decode the packets and review traffic

It’s Open Source, it’s free, and it’s supported through a large user community


Network Traffic Injectors

Available From:http://www.komodia.com/

Great Packet Crafting Tool


SiVus


SiVus


Various Documents


Additional Resources

National Institute of Standards and Technology: Security Considerations for Voice Over IP Systems: http://csrc.nist.gov/publications/nistpubs/

Empirix Call Analyzer: http://www.empirix.com/Empirix/Network+IP+Storage+Test/

SiVus at VoP Security: http://www.vopsecurity.org/ IETF/ITU Documents ETSI Tiphon Documents J. Halpern, “IP Telephony Security in Depth”, Cisco


VoIP Summary

Know your stuff! Or hire those that do!– VoIP technology is still evolving and is very complex!

It’s more than just voice on the IP network Look for everything you would look for with a

standard Audit and you’ll knock out a lot of the “common” audit findings.

Watch mis-configurations on VoIP. Understand the configurations. What looks good may not be.


Contact Information

Lucent TechnologiesBell Labs Innovations

Lucent Technologies Inc.Room 2N-611G101 Crawfords Corner RoadHolmdel, NJ 07733Phone: +1.732.949.3408E-mail: [email protected]

George McBrideSenior Manager

Lucent Worldwide Services

Please contact me with any questions, comments, complaints, or new developments.